technology and zen of life

“A heisenbug (named after the Heisenberg Uncertainty Principle) is a computer bug that disappears or alters its characteristics when an attempt is made to study it.”

Installation notes for Postfix, SASL and Unbound on RHEL 6

Today I finished installing and configuring a filtering mailserver that does virus- and spamfiltering. In fact, it only does filtering, and then passes the mail on to internal mail servers.

I hit a few hurdles and these installation notes are meant for my own future reference. I publish them on this weblog so others might benefit as well.

Environment

A Scientific Linux (RHEL clone) 6.4 64-bit installation, virtualized inside a KVM host. I use macvtap/macvlan networking and virtio drivers. The EPEL repository is activated.

I used the Spamassassin Ultimate Setup Guide written by Warren Togami to get most of the system up.

Fixing SASL support for Postfix

My SASL-Postfix configuration

As the mailserver is mainly a spam filter and frontend SMTP receiver, I do not run Dovecot or other IMAP servers on the box. So I opted for the Cyrus SASL components.

Furthermore I use the sasldb plugin to have more secure password mechanisms over the line (I don’t care about the unencrypted storage as my SMTP password differ from user passwords). Manage SMTP users with saslpasswd2 (db stored in /etc/sasldb2).

Install SASL support:

yum install cyrus-sasl*

cat /etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: CRAM-MD5 DIGEST-MD5 NTLM

cat /etc/postfix/main.cf | grep sasl

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext

Postfix error: no SASL authentication mechanisms

less /var/log/messages

filter postfix/smtpd[12154]: fatal: no SASL authentication mechanisms

Install all “mechanisms”:

yum install cyrus-sasl*

Check mechanism files using:

ls /usr/lib64/sasl2/

Postfix error: sql_select option missing

less /var/log/messages

Oct 17 12:41:35 filter postfix/smtpd[3852]: sql_select option missing
Oct 17 12:41:35 filter postfix/smtpd[3852]: auxpropfunc error no mechanism available
Oct 17 12:41:35 filter postfix/smtpd[3852]: auxpropfunc error invalid parameter supplied

According to CarbonCopy, “I found this on another site and it worked fine”

The workaround for the above problem is actually quite simple, really. You simply remove all the libsql* files in /usr/local/lib/sasl2. That’s it. Personally, I moved them all into a folder I created in that directory on the off chance that I may need them in the future. Obviously, this is going to wreak havoc if you are using libsasl for more than one app’s authentication and the other one uses sql. But, if you are using it as I am, where I’m only using sasl for smtp auth through an alternate mechanism (authdaemond in my case), then this will end the spamming of your log file.

Seems indeed to be a problem, as I have cyrus-sasl-sql installed.

yum list installed | grep cyrus-sasl

So remove it with:

yum remove cyrus-sasl-sql

And the error message is gone. (Check by restarting postfix and checking /var/log/messages).

Unbound SELINUX problem with root.anchor

A filtering mailserver will do lots of DNS lookups, because of the large amount of spammers who use all kind of (bogus) host names, and because of DNS based blacklists. You want to cache DNS requests so your mail flow will not me needlessly delayed by nameserver requests.

Of course a spam- and virusfiltering server needs to be tought. Do not disable SELINUX. If you don’t know selinux, watch this great video: SELinux For Mere Mortals, by Thomas Cameron, Red Hat Summit 2012.

I choose Unbound because of it’s reputation of being fast, modern, and secure. And it is developed in The Netherlands

Installation of Unbound

yum install unbound (EHEL repo)

That installs these packages:

  • ldns-1.6.16-2.el6.x8664.rpm – libevent-1.4.13-4.el6.x8664.rpm – unbound-1.4.21-1.el6.x86_64.rpm
  • unbound-libs-1.4.21-1.el6.x86_64.rpm

Error reading root.anchor

But the unbound service did not start successfully. There was a selinux problem accourding to /var/log/messages:

Oct 17 12:57:42 filter unbound: [4004:0] error: unable to open /var/lib/unbound/root.anchor for reading: Permission denied
Oct 17 12:57:42 filter unbound: [4004:0] error: error reading auto-trust-anchor-file: /var/lib/unbound/root.anchor
Oct 17 12:57:42 filter unbound: [4004:0] error: validator: error in trustanchors config
Oct 17 12:57:42 filter unbound: [4004:0] error: validator: could not apply configuration settings.
Oct 17 12:57:42 filter unbound: [4004:0] error: module init for module validator failed
Oct 17 12:57:42 filter unbound: [4004:0] fatal error: failed to setup modules

This specific error might be somewhat related to other selinux packaging bugs, for examble bug 963067 and bug 896599.

Fix using audit2allow

Googling for “audit2allow el6? tells me it’s in policycoreutils-python, so let’s install that:

yum install policycoreutils-python

And this is how we are going to fix it by creating a selinux policy:

grep unbound /var/log/audit/audit.log | grep root | audit2allow -M unbound-fix-anchor
semodule -i unbound-fix-anchor.pp

(Note that I first did a “grep anchor” but that didn’t do the trick, so then I tried a “grep root”.)

And yes it works

Configure Unbound for a mailserver

I love a large DNS cache to speed up mail delivery and lower network traffic from my mailserver. Luckely, there is an Unbound optimization guide. Add the text below to /etc/unbound/unbound.conf

    # more cache memory, rrset=msg*2
    # Due to malloc overhead, the total memory usage is likely
    # to rise to double (or 2.5x) the total cache memory!!
    rrset-cache-size: 100m
    msg-cache-size: 50m

Furthermore, you might want to give internal mailservers the local IP addresses they have. Add to /etc/unbound/local.d/internal-mailservers.conf

local-data: "bifrost.evert.net. IN A 10.0.0.7"
local-data: "bifrost. IN A 10.0.0.7"

Configure Postfix to use the local DNS caching nameserver

Of course, don’t forget to make sure your mailserver uses the DNS caching nameserver. There are various methods to do so:

  • edit /etc/resolv.conf (if you don’t use Network Manager), set nameserver 127.0.0.1
  • configure using Network Manager
  • edit /etc/sysconfig/network-scripts/ifcfg-eth0, set BOOTPROTO=dhcp and PEERDNS=no (if PEERDNS is disabled, then /etc/resolv.conf will not be modified when this interface gets its DHCP address)
  • when using DHCP, set a custom DHCP reservation with DNS server 127.0.0.1 for the mailserver

nofail and nobootwait mount options in fstab prevent boot problems

Problem description: You (re)boot your computer, e.g. a headless server. The boot process can halt or exit to rescue mode when an external disk is unavailable or when an internal but non-critical disk is out of order.

  • mountall tries to automount all entries from fstab that have the defaults or auto mount options. It will halt the boot process if such entries cannot be mounted, except when the mount option nobootwait is given.
  • fsck tries to do a filesystem check on all entries from fstab that have the sixth field set to 1 or 2. Non-critical drives typically have this field set to 2. It will halt the boot process if such filesystems cannot be checked, except when the mount option nofail is given.

A possible disadvantage of nobootwait is that, if the disk is actually present, it will do the filecheck in the background and continue booting. That might be exactly what you want for e.g. external drives, but if other services depend on the drive, then those services can fail.

Another disadvantage of nobootwait is the fact that it is not supported by all Linux distributions. For example, using Scientific Linux (RHEL) 6.4, I cannot mount a partition that has the nobootwait set in fstab.

According to the fsck man page, this is what nofail does:

fsck normally does not check whether the device actually exists before calling a file system specific checker. Therefore non-existing devices may cause the system to enter file system repair mode during boot if the filesystem specific checker returns a fatal error. The /etc/fstab mount option nofail may be used to have fsck skip non-existing devices. fsck also skips non-existing devices that have the special file system type auto

Ubuntu has a bug listed: “mountall ignores nofail mount option”. That makes sense, as mountall has not implemented nofail. It uses nobootwait. The bug reporters argue that both mountall and fsck should make use of the nofail option, and I agree with them.

So, if you want to be on the safe side, you

  • should use both nobootwait and nofail.
  • should test this with a manual umount followed by a mount.
  • should have no services depending on non-critial disks.

Below an example from my own SE 6.4 server using only the nofail option, because mounting with the nobootwait option present gives an error.

LABEL=Series  /mnt/filer/Series  xfs  auto,nofail,nodev,noexec,nouser,noatime  0  2

Sources:

F.lux or no F.lux and Linux!

I’ve been using a program called F.lux or Flux for over a year now.

The program is based on the research that blue light keeps you awake and alert. Not something that you’d want at night. So this program adapts the display to show warmer colors at night. You can read more about the program on it’s website. Normally flux adapts the colors as the day progresses and night starts but I preferred to keep the colors warm (yellow-ish) all day long. It’s really easy on eyes even for those long hours spent staring at computer screen.

However Flux for linux lacks the features that it’s Windows version offers. Most particularly the options of controlling the color phase during the day time. Also getting it to work on a dual monitor setup was more effort than I intended to spend. So I decided to fore go the program altogether in favor of changing the color profile of the monitor itself.

Most monitors have the color settings that allow you to pick the RGB (Red Green Blue) levels in your monitor. I fiddled around with mine and set the levels of R-100, G-100, B-0. Hence getting the blue component out of the display and achieving the same effect as flux.

Try it out yourself and see if you can adjust to it. I’d suggest using the default settings of flux till you stop noticing the yellow color of the monitor and then moving to yellow color altogether. I’d recommend giving it two weeks of usage before making a decision on if you want to stop using it or not since it feels odd initially and it takes a bit to get used to.

Let us know if it worked out for you!

Notes

How to add a custom filetype to Linux

mime type editor How to add a custom filetype to Linux

In this example, we will add support for MHTML / MHT files.

Note that the MIME type for MHTML is not well agreed upon. Used MIME types include:

  • multipart/related
  • application/x-mimearchive
  • message/rfc822

According to a StackOverflow question, message/rfc822 should be used. A recent discussion on FreeDesktop, however, recommends application/x-mimearchive as a subtype of multipart/related. I will use message/rfc822 in the examples below and have added this unclarity to the Wikipedia article. Read the rest of this entry »

Installing Haiku directly to a disk partition

haiku Installing Haiku directly to a disk partitionIntroduction

Haiku is something like Windows or Linux: an Operating System (OS). Some geeks like to play with alternative operating systems; it you are one of such geeks, you might want to give Haiku a try. Haiku is very fast and easy to use, but currently there are not many applications you can use with Haiku.

Haiku is a new open-source operating system that specifically targets personal computing. Inspired by the BeOS, Haiku is fast, simple to use, easy to learn and yet very powerful.

In this post, I will describe how to install Haiku on a spare harddisk partition directly without using a CD-ROM or USB memory key. I furthermore assume that you already installed Linux on another partition. Read the rest of this entry »

Best free productivity Android Apps for S3

Now that you just got yourself one of the best smartphones around the Samsung Galaxy SIII it is time to start installing apps on it. Galaxy S III already comes pre-installed with apps like. Google Search, Maps, Navigator, Gmail, YouTube, Calendar, Google Talk, Picasa integration, Swype, Dropbox etc. Here I have jotted down some more essential free apps for Galaxy SIII to get the most out of your phone. Though this list is focused on S3 most of these apps are good for any android device.

Read the rest of this entry »

Horizontal Scrolling for MySQL queries in Linux

Everyone who works with databases on a linux terminal faces this issue at some point in time — executing select * on a table with too many columns. And in linux since there is no horizontal scrolling, the output is wrapped and hence completely unusable.

You can use

--pager

property to get rid of that text wrap.
Read the rest of this entry »

Installing transmission and dnsmasq on a NAS

Introduction

In our student’s  dorm, we want to share files. We also have one shared internet connection using ADSL. The download speed is OK, but the uplink is weak. Many students like to use torrents, which quickly drain the uplink and the connection table of the modemrouter. So I set up a server with a torrent client, which was accessible by a web interface. I replaced this server by a Iomega StorCenter Ix2-200 Cloud Edition Network Attached Storage (NAS) device, which I will refer to as ix-2.

The default torrent client on the ix-2 is bad beyond imagination, so I wanted to install transmission-daemon. Read the rest of this entry »

Email Subscription

Disclaimer

The views expressed on this blog are personal. We do not claim to be a representative voice of the views of any organisation whatsoever. We are not responsible for the content present on the blogs to which we have linked.Views expressed are solely that of the author and does not reflect a collective opinion of contributors.